Monday, 28 July 2014

If you’re looking to create an account with minimum
permissions for joining Clustered ONTAP clusters (tested with 8.2.1) to
OnCommand Unified Manager 6.1, this unofficial blog post might help. The role
was built starting with a read-only account, then looking at the
command-history.log and seeing what commands were error-ing regards lack of
access, then adding in just the required permissions.

Note: The role will
need to be reviewed for later releases of OnCommand Unified Manager and
Clustered Data ONTAP.

Requirements for
the User Account

The user account needs to support the following features:

- Allow the monitoring abilities of OCUM to work

- Allow SnapRestore to function for restores within the
same read-write volume

Note 1: The first
and fourth lines are required for OCUM monitoring. Line 4 was because seeing an
alert for “aggr-check-spare-low” with “Insufficient privileges” in the
command-history.log.

Note 2: The second
and third lines are required for SnapRestore to function.

Note 3: I was
considering adding the 5th line below because seeing some errors from
“storage-shelf-list-info” in the command-history.log with “Enclosure services
not ready at this time” - I put this down to testing on a SIM though. Adding
“storage disk show all” also affects "storage disk modify".

Note: The second
line is required because only users with application ssh and the role admin or
backup can run the command “vserver services ndmp
generate-password” which is required for NDMP restores to function (also
the backup role comes with “vserver services ndmp”
all access.)